Click Me

Now they can guess your Social Security Number

Posted by foreualways on July 7, 2009

By now we’ve had it beaten into our thick skulls: Protect your Social Security Number at all costs, because those nine magic digits are the gateway to your entire life. Financial history, medical records… just about everything hinges on your SSN remaining private.

As such, large-scale thefts of SSN and other private information continue to make headlines, but this piece of news takes the cake: Researchers at Carnegie Mellon University have now figured out a way to roughly reverse engineer the way in which Social Security Numbers are assigned. Armed with your date of birth and the state in which you were born, it’s now possible to generate a quite small set of digits that are likely to contain your actual SSN.

How is this possible? Mainly because SSNs aren’t just randomly generated. The first three digits are tied to your state of birth, and the next two digits (the "group number") are used sequentially as SSNs are handed out over time. The final four digits are supposedly random, but using a public database called the Death Master File, which lists SSNs that were held by the deceased, patterns emerged in those digits, as well.

The result is that, depending on the state and year of birth (the older you are and the larger your state of birth, the harder it is to guess your SSN), the researchers could guess a Social Security Number’s first five digits with up to 90 percent accuracy, and the last four digits with up to 5 percent accuracy. Considering the odds of getting a SSN right by random guess really ought to be 1 in a billion, that’s a phenomenal success rate.

And if those numbers seem small, consider that with the use of commonly-available botnets, computers could correctly guess dozens of SSNs every minute by simple brute force as they apply for bogus credit cards en masse. The Ars Technica story linked above also notes that many credit card verification services allow for a couple of digits in an SSN to be wrong, as a convenience for forgetful applicants, opening the door a little wider for hackers.

What happens now? It’s hard to imagine an organization as venerable and bureaucratic as the Social Security Administration to change the way it works, but it’s hard not to think that the nine-digit SSN may have at last outlived its utility, and its security. Still, just try to imagine the upheaval should the country attempt to move to longer numbers…